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Abstract 

Emerging systems such as smart grids or intelligent transportation systems often require end-user 
applications to continuously send information to external data aggregators performing monitoring or 
control tasks. This can result in an undesirable loss of privacy for the users in exchange of the benefits 
provided by the application. Motivated by this trend, this paper introduces privacy concerns in a system 
theoretic context, and addresses the problem of releasing filtered signals that respect the privacy of the 
user data streams. Our approach reUes on a formal notion of privacy from the database Uterature, caUed 
differential privacy, which provides strong privacy guarantees against adversaries with arbitrary side 
information. Methods are developed to approximate a given filter by a differentially private version, 
so that the distortion introduced by the privacy mechanism is minimized. Two specific scenarios are 
considered. First, the notion of differential privacy is extended to dynamic systems with many participants 
contributing independent input signals. Kalman filtering is also discussed in this context, when a released 
output signal must preserve differential privacy for the measured signals or state trajectories of the 
individual participants. Second, differentially private mechanisms are described to approximate stable 
filters when participants contribute to a single event stream, extending previous work on differential 
privacy under continual observation. 

Index Terms 

Privacy, Filtering, Kalman Filtering, Estimation 

I. Introduction 

A rapidly growing number of applications requires users to release private data streams to 
third-party applications for signal processing and decision-making purposes. Examples include 

J. Le Ny is with the department of Electrical Engineering, Ecole Polytechnique de Montreal, QC H3T 1J4, Canada. G. Pappas 
is with the Department of Electrical and Systems Engineering, University of Pennsylvania, Philadelphia, PA 19104, USA. 
jerome . le-ny@polymtl . ca, pappasgSseas . upenn . edu . 

Preliminary versions of this paper will appear at Allerton 2012 and CDC 2012. 



September 12, 2012 



DRAFT 



2 



smart grids, population health monitoring, online recommendation systems, traffic monitoring, 
fuel consumption optimization, and cloud computing for industrial control systems. For privacy or 
security reasons, the participants benefiting from the services provided by these systems generally 
do not want to release more information than strictly necessary. In a smart grid for example, a 
customer could receive better rates in exchange of continuously sending to the utility company her 
instantaneous power consumption, thereby helping to improve the demand forecast mechanism. 
In doing so however, she is also informing the utility or a potential eavesdropper about the type 
of appliances she owns as well as her daily activities [[T|. Similarly, individual private signals can 
be recovered from published outputs aggregated from many users, and anonymizing a dataset 
is not enough to guarantee privacy, due to the existence of public side information. This is 
demonstrated in [|2), [[3j for example, where private ratings and transactions from individuals 
on commercial websites are successfully inferred with the help of information from public 
recommendation systems. Emerging traffic monitoring systems using position measurements 
from smartphones Q is another application area where individual position traces can be re- 
identified by correlating them with public information such as a person's location of residence or 
work [4]. Hence the development of rigorous privacy preserving mechanisms is crucial to address 
the justified concerns of potential users and thus encourage an increasing level of participation, 
which can in turn greatly improve the efficiency of these large-scale systems. 

Precisely defining what constitutes a breach of privacy is a delicate task. A particularly 
successful recent definition of privacy used in the database literature is that of differential privacy 
||5|, which is motivated by the fact that any useful information provided by a dataset about a 
group of people can compromise the privacy of specific individuals due to the existence of side 
information. Differentially private mechanisms randomize their responses to dataset analysis 
requests and guarantee that whether or not an individual chooses to contribute her data only 
marginally changes the distribution over the published outputs. As a result, even an adversary 
cross-correlating these outputs with other sources of information cannot infer much more about 
specific individuals after publication than before [|6l. 

Most work related to privacy is concerned with the analysis of static databases [j5|, ||7|- 
||9|, whereas cyber-physical systems clearly emphasize the need for mechanisms working with 
dynamic, time- varying data streams. Recently, the problem of releasing differentially private 



statistics when the input data takes the form of a binary stream has been considered in |10| 
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|T2|. This work is discussed in more details in Section [VI-B[ A differentially private version of 



the iterative averaging algorithm for consensus is considered in [ 13 1. In this case, the input data to 
protect consists of the initial values of the participants and is thus a single vector, but the update 
mechanism subject to privacy attacks is dynamic. Information-theoretic approaches have also 



been proposed to guarantee some level of privacy when releasing time series [ 14 1, [ 15 1. However, 
the resulting privacy guarantees only hold if the statistics of the participants' data streams obey 
the assumptions made (typically stationarity, dependence and distributional assumptions), and 
require the explicit statistical modeling of all available side information. This task is very difficult 
in general as new, as -yet- unknown side information can become available after releasing the 
results. In contrast, differential privacy is a worst-case notion that holds independently of any 
probabilistic assumption on the dataset, and controls the information leakage against adversaries 
with arbitrary side information Q. Once such a privacy guarantee is enforced, one can still 
leverage potential additional statistical information about the dataset to improve the quality of 
the outputs. 

The main contribution of this paper is to introduce privacy concerns in the context of systems 
theory. Section |II] provides some technical background on differential privacy. We then formulate 
in Section [In] the problem of releasing the output of a dynamical system while preserving 
differential privacy for the driving inputs, assumed to originate from different participants. It 
is shown that accurate results can be published for systems with small incremental gains with 



respect to the individual input channels. These results are extended in Section IV to the problem 
of designing a differentially private Kalman filter, as an example of situation where additional 
information about the process generating the individual signals can be leveraged to publish more 



accurate results. Finally, Section VI is motivated by the recent work on "differential privacy under 



continual observation" pl)[ , pT] |, and considers systems processing a single integer- valued signal 
describing the occurrence of events originating from many individual participants. Differentially 
private approximations of the systems are proposed with the goal of minimizing the mean squared 
error introduced by the privacy preserving mechanism. Some additional references to the related 



hterature are provided in Section VI-B 
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II. Differential Privacy 

In this section we review the notion of differential privacy [[5| as well as some basic mecha- 
nisms that can be used to achieve it when the released data belongs to a finite-dimensional vector 
space. In the original papers on differential privacy [|5|, [|7), p6| , a sanitizing mechanism has 
access to a database and provides noisy answers to queries submitted by data analysts wishing 
to draw inference from the data. However, the notion of differential privacy can be defined for 
fairly general types of datasets. Most of the results in this section are known, but in some cases 
we provide more precise or slightly different versions of some statements made in previous 
work. We refer the reader to the surveys by Dwork, e.g., [17|, for additional background on 
differential privacy. 

A. Definition 

Let us fix some probability space (fi, J^, P). Let D be a space of datasets of interest (e.g., 
a space of data tables, or a signal space). A mechanism is just a map M : D x — )• R, for 
some measurable output space (R, M), where M. denotes a a-algebra, such that for any element 
d G D, M((i, ■) is a random variable, typically written simply M{d). A mechanism can be viewed 
as a probabilistic algorithm to answer a query q, which is a map g : D — > R. In some cases, we 
index the mechanism by the query q of interest, writing Mg. 

Example 1. Let D = W\ with each real-valued entry of d E D corresponding to some sensitive 
information for an individual contributing her data, e.g., her salary. A data analyst would like 
to know the average of the entries of d, i.e., the query is g : D — )■ M with q(d) = ^ J2'i=i ^i- 



As detailed in Section II-B[ a typical mechanism Mq to answer this query in a differentially 



private way computes q{d) and blurs the result by adding a random variable F : — ^ M, so that 
: D X ^- M with Mq{d) = \ YTi=\ + Y. Note that in the absence of perturbation Y, an 
adversary who knows n and all dj for j > 2 can recover the remaining entry di exactly if he 
learns q{d). This can deter people from contributing their data, even though broader participation 
improves the accuracy of the analysis, which can provide useful knowledge to the population as 
a whole. 

Next, we introduce the definition of differential privacy [[5J, [|7|. Intuitively, in the following 
definition, D is a space of datasets of interest, and we have a symmetric binary relation Adj on 
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D, called adjacency, such that Adj{d,d') if and only if d and d' differ by the data of a single 
participant. 

Definition 1. Let D be a space equipped with a symmetric binary relation denoted Adj, and let 
(R, M.) be a measurable space. Let e,5 > 0. A mechanism Af : D x f2 — )• R is (e, 5) -differentially 
private if for all d,d' e D such that Adj((i, d'), we have 

F{M{d) eS)< e'F{M{d') e S) + 6, V5 G M. (1) 

If 5 = 0, the mechanism is said to be e-differentially private. 

Intuitively, this definition says that for two adjacent datasets, the distributions over the outputs 
of the mechanism should be close. The choice of the parameters e, S is set by the privacy policy. 
Typically e is taken to be a small constant, e.g., e ~ 0.1 or perhaps even In 2 or In 3. The 
parameter 5 should be kept small as it controls the probability of certain significant losses of 
privacy, e.g., when a zero probability event for input d' becomes an event with positive probability 
for input in ([!]). 

Remark 1. The definition of differential privacy depends on the choice of a-algebra Ai in 
Definition [T| When we need to state this cr-algebra explicitly, we write M : D x i7 — )• (R, A^). 
In particular, this a-algebra should be sufficiently large, since ([T]) is trivially satisfied by any 
mechanism if = {0, R}. 

The next lemma provides alternative technical characterizations of differential privacy and 
appears to be new. First, we introduce some notation. We call a signed measure u on (R,A^) 
(5-bounded if it satisfies i^{S) < 5 for all S E Ai [ITsl p. 180]. A measure is sometimes called 
positive measure for emphasis. For (R, A^) a measurable space, we denote by ^-^(R) the space 
of bounded real-valued measurable functions on R and we define fig := J g dfi for g E Ji,(R) 
and n a positive measure on M . 

Lemma 1. The following are equivalent: 

(a) M is {e, 5)-dijferentially private, satisfying ([7|. 

(b) For all d,d'ED such that Adj{d, d'), there exists a S-bounded positive measure /i'^''^' on 
(R, A^) such that we have 

F{M{d) eS)< e'F{M{d') E S) + E M. (2) 
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(c) For all d,d'ED such that Adj{d,d'), there exists a 6-bounded positive measure fj,^'^' on 
(R, A^) such that for all g G J-fe(R), we have 

E{g{M{d))) < e^E{g{M{d'))) + fi^'^'g. (3) 
Proof: ([a]) ^ (|b]). Suppose that M is (e, 5) -differentially private. Define the signed measure 



j,d,d' by 5 ^ u'^^'^'iS) := F{M{d) e S)-e'F{M{d') e S) ^ Section 5.6]. By the definition 
^d,d' ^-bounded. Let fi^'''-' be the positive variation of v^'^' , i.e., /i'^''^'(5') = sup{z/(G) : G C S}, 
for all S G M.. Then fi^''^' is a positive measure [[l8| Section 5.6], is (5-bounded since z/^^/ is, 
and since u'^''^'{S) < for all S e M, we have g. 

(|b]) ^ (|c]): Let i? be a bound on g. For any k > 1, we divide the interval [—B,B] in k 
consecutive intervals Jj of length 2B/k, and we let Ai = g'^ih) and q be the mid-point of the 
interval Jj. Then (jcj) holds for the simple function Yli=i ^i^A^, and these functions approximate 
g. We conclude using the dominated convergence theorem. 

(|c]) ^ ([a]): Take g = Is and use the fact that i/''^' is 5-bounded. ■ 
A fundamental property of the notion of differential privacy is that no additional privacy 
loss can occur by simply manipulating an output that is differentially private. This result is 



similar in spirit to the data processing inequality from information theory [ 19|. To state it, recall 
that a probability kernel between two measurable spaces (Ri, A^i) and (R2, A^2) is a function 
: Ri X M.2 — [0, 1] such that A;(-, S) is measurable for each S G M.2 and k{r, ■) is a probability 
measure for each r G Ri. 

Theorem 1 (Resilience to post-processing). Let Mi : D xi7 — > {Ri, Mi) be an {e, 5) -differentially 
private mechanism. Let M2 : D x — )■ (R2, A^2) be another mechanism, such that there exists 
a probability kernel k : Ri x Ai2 — > [0, 1] verifying 

F{M2{d) G S\Mi{d)) = k{Mi{d),S), a.s.,yS G M2,\/d G D. (4) 

Then M2 is {e, 6) -differentially private. 

Note that in (|4]), the kernel k is not allowed to depend on the dataset d. In other words, this 
condition says that once Mi{d) is known, the distribution of M2{d) does not further depend 
on d. The theorem shows that a mechanism M2 accessing a dataset only indirectly via the 
output of a differentially private mechanism Mi cannot weaken the privacy guarantee. Hence 
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post-processing can be used freely to improve the accuracy of an output, as in Section IVI] for 
example, without worrying about a possible loss of privacy. 

Proof: To the best of our knowledge, there is no previous proof of the resilience to post- 
processing theorem available for the case of randomized post-processing and 5 > 0. Let Mi be 
(e, 5) -differentially private. We have, for two adjacent elements d,d'ED and for any S E M.2 

P(M2(ci) eS)= E[P(M2 e S\Mi{d))] = E[k{Mi{d), S)] 

< e'E[k{Mi{d'), S)] + [ k{mi, S) ci/''^'(mi) 



jRi 

= eT(M2(rf') e 5) + z/^'^'(5). 

The first equality is just the smoothing property of conditional expectations, and the inequal- 
ity comes from ^ applied to the function k(-,S). Since A; is a probability kernel, the inte- 
gral on the second line defines a measure u^'^' on R2, which is 5-bounded since u'^''^' (R2) = 
J^^ k{mi, R2)d/''^'(mi) = /^^ 1 d/'^'(mi) = /''^'(Ri) <6. U 

B. Basic Differentially Private Mechanisms 

A mechanism that throws away all the information in a dataset is obviously private, but not 
useful, and in general one has to trade off privacy for utility when answering specific queries. 
We recall below two basic mechanisms that can be used to answer queries in a differentially 
private way. We are only concerned in this section with queries that return numerical answers, 
i.e., here a query is a map g : D — t- R, where the output space R equals M'^ for some 1 < A; < 00, 
is equipped with a norm denoted || ■ ||r, and the cr-algebra on R is taken to be the standard 
Borel cr-algebra, denoted TZ''. The following quantity plays an important role in the design of 
differentially private mechanisms [|5|. 

Definition 2. Let D be a space equipped with an adjacency relation Adj. The sensitivity of a 
query g : D — )■ R is defined as Apg := maxrf^rf/.Adj(d,d') \\qid) — q{d')\\R. In particular, for R = M'^ 
equipped with the p-norm ||x||p = ( X]j=i l^jP) for p G [l,oo], we denote the ip sensitivity 
by Apq. 

1) The Laplace Mechanism: This mechanism, proposed in [5], modifies an answer to a 
numerical query by adding i.i.d. zero-mean noise distributed according to a Laplace distribution. 
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Recall that the Laplace distribution with mean zero and scale parameter b, denoted Lap (6), 
has density p{x;b) = ^ exp ^i^d variance 26^. Moreover, for w E M.'' with Wi iid and 

Wi ~ Lap(6), denoted w ~ Lap(6)'^, we have p{w;b) = (^)'^exp ^— ^^j, JE[||-u;||i] = b, and 
w\\i > tb) = e^*. 



Theorem 2. Let q : D ^ M*^ be a query. Then the Laplace mechanism Mg : D x — )■ M*^ defined 
by Mq{d) = q{d) + w, with w ~ Lap (6)*^ and b > is t-dijferentially private. 

Note that the mechanism requires each coordinate of w to have standard deviation proportional 
to Aig, as well as inversely proportional to the privacy parameter e (here 5 = 0). For example, 
if q simply consists of k repetitions of the same scalar query, then Aig increases linearly with 
k, and the quadratically growing variance of the noise added to each coordinate prevents an 
adversary from averaging out the noise. 

Proof: We have, for S* C M*^ measurable and d, d' two adjacent datasets in D, 

P{M,{d) eS)= (^^^ j^^ ls{q{d) + w)e-^dw = (^^^ j^^ ls{u)e-^''^ dw 

/ \ k 

\\q{d)-q{d')\\^ I 1\ / ^ , , \\u~q{d')\\-^ 



since — — q{d) || i < — — q{d') \\ i + \\q{d) — q(d') \\ i by the triangle inequality. With the choice 
of 6 = Aig/e, we obtain the definition ([T]) of differential privacy (i.e., with 6 = 0). ■ 
2) The Gaussian Mechanism: This mechanism, proposed in [|7||, is similar to the Laplace 
mechanism but adds i.i.d. Gaussian noise to obtain (e, 5) -differential privacy, with 5 > but 
typically a smaller e for the same utility. Recall the definition of the Q-function 

Q(x) := , / e 2 du. 

The following theorem tightens the analysis from [|7|. 

Theorem 3. Let q : D ^ be a query. Then the Gaussian mechanism Mg : D x f2 — )■ M 
defined by Mg{d) = q{d) + w, with w ~ J\f{0,a^lk), where a > ^{K + ^fWT^e) and 
K = Q^^{5), is {e, 6) -differentially private. 

Proof: Let d, d' be two adjacent elements in D, and denote v := q{d) — q{d'). We use the 
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notation || ■ || for the 2-norm in this proof. For S E V}, we have 

1 f IK-lP 1 f 

_\\u-q(d')\\^ 2(u-q{d'))Tv-\\vf 

2^ e ^ du 



(27ra2)*^/2 

The last integral term defines a measure 5 i— fi'^''^' (S) on M'^ that we wish to bound by 6. With 
the change of variables y = (u — q{d))/a and the choice S* = in the integral, we can rewrite 
it as ¥{Y'^v > ea - \\v\\^/2a), with Y ~ A/'(0,4). In particular, Y'^v ~ Af{0, \\v\\^), hence is 
equal to \\v\\Z in distribution, with Z ~ A/'(0, 1). We are then led to set a sufficiently large so 
that ¥{Z > ea/\\v\\ - \\v\\/2a) < 6, i.e., Q{ea/\\v\\ - \\v\\/2a) < 6. The result then follows by 
straightforward calculation. ■ 
As an illustration of the theorem, to guarantee (e, 5) -differential privacy with e = ln2 and 
S = 0.05, the standard deviation of the Gaussian noise should be about 2.65 times the £2 
sensitivity of q. For the rest of the paper, we define e) = ^{K + y/K'^ + 2e), so that the 
standard deviation a in Theorem [3] can be written a{S,e) = K{e,S)A2q. It can be shown that 
K{6,e) can be bounded by 0(ln(l/5))i/Ve. 

III. Differentially Private Dynamic Systems 

In this section we introduce the notion of differential privacy for dynamic systems. We start 
with some notations and technical prerequisites. All signals are discrete-time signals, start at 
time 0, and all systems are assumed to be causal. For each time T, let Pt be the truncation 
operator, so that for any signal x we have 

iPTx)t 

Hence a deterministic system Q is causal if and only if PtG = PtQPt- We denote by 
the space of sequences with values in and such that x G £™g if and only if P^x has finite 
p-norm for all integers T. The I-L2 norm and 7/oo norm of a stable transfer function Q are defined 
respectively as WQh = r_^Tv{g*{e'^)g{e'^))dujy\\\g\U = ess sup^g[_^,^) (T„,ax(6^(e'")), 
where crmax(^) denotes the maximum singular value of a matrix A. 
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Fig. 1. Illustrative example of a system computing the sum of the moving averages (MA) of input signals contributed by n 
individual participants. A differentially private version of this system, for the adjacency relation will guarantee to user i that 
the distribution of the output signal does not vary significantly when her input varies in r^-norm by at most bi. In particular, 
the distribution of the output signal will not change significantly if user i's input is zero {ui = 0, e.g., because the user is not 
present), or is not zero but satisfies |jMi||ri < bi. 

We consider situations in which private participants contribute input signals driving a dynamic 
system and the queries consist of output signals of this system. First, in this section, we assume 
that the input of a system consists of n signals, one for each participant. An input signal is 
denoted m = . . . , Un), with ui G for some rrii E N and rj G [1, oo]. A simple example 
is that of a dynamic system releasing at each period the average over the past / periods of the 
sum of the input values of the participants, i.e., with output j Xll=t-i+i Y^^=i tii^^ t' 

Fig. [Tj For r = (ri, . . . , r„) and m = (mi, . . . , m„), an adjacency relation can be defined on 
^re = ^n^e X • • • X ^5?^"e f^r cxamplc by Adj(M, u') if and only if u and u' differ by exactly one 
component signal, and moreover this deviation is bounded. That is, let us fix a set of nonnegative 
numbers 6 = (61, . . . , 6j > 0, and define 

Adj^(-u, u) iff for some i, \\ui — u[\\r^ < bi, and uj = u'j for all j 7^ i. (5) 

A. Finite-Time Criterion for Differential Privacy 

To approximate dynamic systems by versions respecting the differential privacy of the indi- 
vidual participants, we consider mechanisms of the form M : fJT'g x — )■ P^'^, i.e., producing for 
any input signal u G a stochastic process Mu with sample paths in £™g. As in the previous 
section, this requires that we first specify the measurable sets of l"^'^. We start by defining in a 
standard way the measurable sets of (M™ )^, the space of sequences with values in M™', to be 
the (T-algebra denoted Ai™-' generated by the so-called finite-dimensional cylinder sets of the 
form {y G (M™')^ : yo:T G i/r},for T > and /Jt G 7^(^+^)"'', where vq-.t denotes the vector 
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, . . . , y'p\^ (see, e.g., [20, chapter 2]). The measurable sets considered for the output of M are 
then obtained by intersection of £™g with the sets of M."^' . The resulting cr-algebra is denoted 
A^™g and is generated by the sets of the form 

HT = {ye : yo:T e Ht}, for T > 0, ff^ G 7^('^+l)'"'. (6) 

As for the dynamic systems of interest, we constrain in this paper the mechanisms to be causal, 
i.e., the distribution of PtMu should be the same as that of PtMPtu for any u E and any 
time T. In other words, the values Ut for t > T do not influence the values of the mechanism 
output up to time T. The following technical lemma is useful to show that a mechanism on 
signal spaces is (e, 5) -differentially private by considering only finite dimensional problems. 

Lemma 2. Consider an adjacency relation Adj on i^^. For a mechanism M : x — t- l"^'^, 
the following are equivalent 

(a) M is {e, 6) -differentially private. 

(b) For all u,u' in such that Adj {u,u'), we have 

P((Mm)o:t eA)<e' P((Mm')o:T G A) + 5, VT > 0, VA G 71^^+^^""'. (7) 



Proof: |a]) =^ 6) If Af is (e, 5) -differentially private, then for u,u' adjacent, and for all 
H e A^^e, we have P(Mm e H) < F{Mu' e H)+6. In particular, for a given integer T > 0, 
we can restrict our attention to the sets Ht of the form In this case, we have immediately 
P(Mm G Ht) = P((Mm)o;t G Ht) since the events are the same. 

!&]) =^j~a| Conversely, consider two adjacent signal u, u' G and let S G A^^g, for which 
we want to show Fix t] > 0. There exists T > and Ht e 7^(^+i)™' such that P(Mm G 
SAHt) < r] and F{Mu' G SAHt) < t], where AAB := {A\B)U{B\A) denotes the symmetric 
difference. This is a consequence for example of the fact that the finite-dimensional cylinder 



sets form an algebra and of the argument in the proof of [18 Theorem 3.1.10]. We then have 

F{Mu eS)< F{Mu eHT)+V = P((Mu)o:t e Ht) + v 

< e' P((Mm')o:T eHT) + 6 + 7] = e' F{Mu e Ht) + S + r] 

< e' F{Mu eS) + 6 + 7]{l + e'). 

Since r] can be taken arbitrarily small, the differential privacy definition ([T]) holds. I 
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B. Basic Dynamic Mechanisms 

Recall (see, e.g., [21]) that for a system Q with inputs in and output in its ^^.-to-^s 
incremental gain 7™'^(^) is defined as the smallest number 7 such that 

WPtGu - PtGu'Ws < -f\\PTU - Pru'Wr, ^u,u' e i"^,, VT. 

Now consider, for r = (ri, . . . , r„) and m = (mi, . . . , m„), a system ^ : /™g — )■ defined by 

n 

Q{Ui, . . . ,Un) = ^GiUi, (8) 
j=l 

where : £™'g — )■ for all 1 < i < n. The next theorem generalizes the Laplace and Gaussian 
mechanisms of Theorems [2] and |3] to causal dynamic systems. 

Theorem 4. Let Q be defined as in and consider the adjacency relation (|5]). Then the 
mechanism Mu = Qu + w, where w is a white noise with Wt ~ Lap{B/e)'^' and B > 
maxi<j<„{7™|(^j) is e-dijferentially private. The mechanism is {e,6)-dijferentially private 
ifwt ~ Af{0, cr'^Im'), with a > k{S, e) maxi<j<„{7;,^|(^i) bi}. 

Proof: Consider two adjacent signals u, u', differing say in their i^^ component. Then, for 
a G {1, 2}, we have 

\\PtGu - PrGu'Wa = WPrGiUi - PrGiu'^Wa < ln,a\\PTUi - PTu'iWn 

< 7n,a||Mi - Milin < 'ln,abi. 

This leads to a bound on the ii and £2 sensitivity of PtG, valid for all T. The result is then an 
application of Theorems [2] and [3] and Lemma [2} since Q is satisfied for all T. ■ 

Corollary 1. Let G be defined as in ([§]) with each system Gi linear, and r j = 2 for all 1 < i < n. 
Then the mechanism Mu = Gu + w, where w is a white Gaussian noise with Wf ~ A/'(0, cx'^Im') 
and a > e) maxi<j<„{||^j||oo is (e, 5) -differentially private for (|5]). 

C. Filter Approximation Set-ups for Differential Privacy 

Let Ti = 2 for all i and G be linear as in the Corollary [1} and assume for simplicity the 
same bound 6^ = . . . = 6^ = for the allowed variations in energy of each input signal. We 
have then two simple mechanisms producing a differentially private version of G, depicted on 
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Fig. 2. Two architectures for differential privacy, (a) Input perturbation, (b) Output perturbation. 

Fig. |2j The first one directly perturbs each input signal Ui by adding to it a white Gaussian noise 
Wi with Wi^t ~ A/'(0, cr^/m-) and = K{5,eYB. These perturbations on each input channel 
are then passed through Q, leading to a mean squared error (MSB) for the output equal to 
k{5, ^YB\\Q\\2 = k{5, e^B XlILi 11^*11 2- Alternatively, we can add a single source of noise at the 
output of Q according to Corollary [T| in which case the MSB is e)^i?maxi<j<„{||^j||^}. 
Both of these schemes should be evaluated depending on the system Q and the number n of 
participants, as none of the error bound is better than the other in all circumstances. For example, 
if n is small or if the bandwidths of the individual transfer functions Qi do not overlap, the error 
bound for the input perturbation scheme can be smaller. Another advantage of this scheme is 
that the users can release differentially private signals themselves without relying on a trusted 
server. However, there are cryptographic means for achieving the output perturbation scheme 
without centralized trusted server as well, see, e.g., [21]. 

Example 2. Consider again the problem of releasing the average over the past / periods of 
the sum of the input signals, i.e., Q = ^2^=1 Si with {GiUi)t = j Zlfc=t-/+i all i. Then 

= l/l, whereas ||^i||oo = 1j for all i. The MSB for the scheme with the noise at the input 
is then k(S, eYBn/l. With the noise at the output, the MSB is k{5, e^B, which is better exactly 
when n > I, i.e., the number of users is larger than the averaging window. 

IV. Differentially Private Kalman Filtering 

We now discuss the Kalman filtering problem subject to a differential privacy constraint. 
Compared to the previous section, for Kalman filtering it is assumed that more is publicly 
known about the dynamics of the processes producing the individual signals. The goal here 
is to guarantee differential privacy for the individual state trajectories. Section |V] describes an 
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application of the privacy mechanisms presented here to a traffic monitoring problem. 

A. A Differentially Private Kalman Filter 

Consider a set of n linear systems, each with independent dynamics 

Xi^t+i = Axi,t + BiWi^t, t >0, 1 <i <n, (9) 

where Wi is a standard zero-mean Gaussian white noise process with covariance E[wj ^Wj ^/] = 
5t-t', and the initial condition x^ o is a Gaussian random variable with mean Xi^, independent 
of the noise process Wi. System i, for 1 < i < n, sends measurements 

yi^t = Qxi^t + DiWi^t (10) 

to a data aggregator. We assume for simplicity that the matrices Di are full row rank. Figure [3] 
shows this initial set-up. 

The data aggregator aims at releasing a signal that asymptotically minimizes the minimum 
mean squared error with respect to a linear combination of the individual states. That is, the 
quantity of interest to be estimated at each period is zt = LiXi^t, where Li are given 

matrices, and we are looking for a causal estimator z constructed from the signals yi,l < i < n, 
solution of 



T-l 

i 

mm ^ 

z T^oo T 

t=0 



The data Xi^, Ai, Bi,Ci, Di, Li,l < i < n, are assumed to be public information. For all 1 < 
i < Ti, we assume that the pairs (v4j, Cj) are detectable and the pairs (v4j, are stabilizable. In 
the absence of privacy constraint, the optimal estimator is Zt = Yl^=i with Xj t provided 



by the steady-state Kalman filter estimating the state of system i from yi [23|, and denoted /Cj 
in the following. 

Suppose now that the publicly released estimate should guarantee the differential privacy of the 
participants. This requires that we first specify an adjacency relation on the appropriate space of 
datasets. Let x = [xf , . . . , x^]^ and y = [yf , . . . , y^]^ denote the global state and measurement 
signals. Assume that the mechanism is required to guarantee differential privacy with respect to 
a subset Si := {ii, . . . ,ik} of the coordinates of the state trajectory Xj. Let the selection matrix 
Si be the diagonal matrix with [Si]jj = 1 if j G Si, and [Si]jj = otherwise. Hence SiV sets the 
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yj 



Fig. 3. Kalman filtering set-up. 



coordinates of a vector v which do not belong to the set Si to zero. Fix a vector p G M" . The 
adjacency relation considered here is 

Adj'^{x,x') iff for some i, \\SiXi — 5'jX-||2 < Pi, (/ — Si)xi = (/ — (11) 

and Xj = x'j for all j i. 

In words, two adjacent global state trajectories differ by the values of a single participant, say i. 
Moreover, for differential privacy guarantees we are constraining the range in energy variation 
in the signal SiXi of participant i to be at most pf. Hence, the distribution on the released results 
should be essentially the same if a participant's state signal value SiXi^^ at some single specific 
time to were replaced by Six[^^ with \\Si{xi^t„ — Xito)\\ — Pi^ ^ut the privacy guarantee should 
also hold for smaller instantaneous deviations on longer segments of trajectory. Other adjacency 
relations could be considered, e.g., directly on the measured signals y or more generally on 
linear combinations of the components of individual states. 

Depending on which signals on Fig. |3] are actually published, and similarly to the discussion 



of Section III-C there are different points at which a privacy inducing noise can be introduced. 
First, for the input noise injection mechanism, the noise can be added by each participant directly 
to their transmitted measurement signal Namely, since for two state trajectories Xi, x[ adjacent 



according to (11 1 we have — a; • = Si{xi — x-), the variation for the corresponding measured 
signals can be bounded as follows 

WVi - y'ih = \\CiSi{Xi - X'i)\\2 = \\CiSiSi{Xi - X[)\\2 < 0-^a.x{CiSi)pi. 

Hence differential privacy can be guaranteed if participant i adds to yi a white Gaussian noise 
with covariance matrix K(5,eYpfa'^^^{CiSi)Ip^, where pi is the dimension of yi^f Note that in 
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this sensitivity computation the measurement noise DiWi has the same realization independently 
of the considered variation in Xj. At the data aggregator, the privacy -preserving noise can be 
taken into account in the design of the Kalman filter, since it can be viewed as an additional 
measurement noise. Again, an advantage of this mechanism is its simplicity of implementation 
when the participants do not trust the data aggregator, since the transmitted signals are already 
differentially private. 

Next, consider the output noise injection mechanism. Since we assume that Xq is public 
information, the initial condition Xi o of each state estimator is fixed. Consider now two state 



trajectories x, x', adjacent according to ( |TT| ), and let z, z' be the corresponding estimates produced 
by the Kalman filters. We have 

z - z = LilCi{yi - y'i) = LilCiCiSi{xi - x-), 

where we recall that /Cj is the i*^ Kalman filter. Hence \\z — z'\\2 < 'jiPi, where 7^ is the "Hoo 
norm of the transfer function LiJCiCiSi. We thus have the following theorem. 

Theorem 5. A mechanism releasing (XlILi ^i^iVi) + 7 ^('^5 ^) where v is a standard white 
Gaussian noise independent of {wj}i<i<„, {xi,o}i<i<n, and 7 = maxi<j<„{7jpj}, with 7^ the 
"Hoo norm of LiJCiCiSi, is differentially private for the adjacency relation ([77]). 



B. Filter Redesign for Stable Systems 

In the case of the output perturbation mechanism, one can potentially improve the MSE 
performance of the filter with respect to the Kalman filter used in the previous subsection. 
Namely, consider the design of n filters of the form 

Xi^t+i = FiXi^t + Giyi^t (12) 

Zi^t = HiXi^t + Kiyi^t, (13) 

for I < i < n, where Fi,Gi, Hi, Ki are matrices to determine. The estimator considered is 
Zt = ^"=1 Zi^t, so that each filter output Zi should minimize the steady-state MSE with Zi = LiXi, 



and the released signal should guarantee differential privacy with respect to (11). Assume first 
in this section that the system matrices Ai are stable, in which case we also restrict the filter 
matrices Fj to be stable. Moreover, we only consider the design of full order filters, i.e., the 
dimensions of Fi are greater or equal to those of Ai, for all 1 < z < n. 
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Denote the overall state for each system and associated filter by Xj = 
dynamics from Wi to the estimation error Ci := Zi — Zi can be written 

where 



. The combined 





A, 




B, 




, Bi = 


GiCi Fi 


GiDi 



5 Ci 



The steady-state MSE for the z*'* estimator is then limj_j.oo ^[eit^i,t] - Moreover, we are interested 
in designing filters with small "Hoc norm, in order to minimize the amount of noise introduced by 
the privacy-preserving mechanism, which ultimately also impacts the overall MSE. Considering 
as in the previous subsection the sensitivity of filter i's output to a change from a state trajectory 
X to an adjacent one x' according to (fTTl), and letting 6xi = — x ■ = Si{xi — x-) = Si6xi, we 



see that the change in the output of filter i follows the dynamics 

Sxi^t+i = Fi6xi^t + GiCiSiSxi 
6zi = Hi6xi^t + KiCiSi5xi. 
Hence the £2-sensitivity can be measured by the "Hoo norm of the transfer function 





GiCiSi 


Hi 


KiGiSi 



(14) 

Simply replacing the Kalman filter in Theorem [5| the MSE for the output perturbation 
mechanism guaranteeing (e, 5)-privacy is then 

n 

V \\Ci{zI - A,)-'Bi + AII2 + ef max{7fp2}, 

' l<j<n 
1=1 

with 7, := \\H^{zI - F,)-^G,GiSi + K,G,Si\\^. 
Hence minimizing this MSE leads us to the following optimization problem 

n 

min y ai + K{5,ef\ (15) 

1=1 

s.t. V 1 < i < n, 11^(2/ - AiY^Bi + AII2 < /^i, (16) 
pI\\H,{zI - FiY^GiGiSi + KiGiSiWi < X. (17) 
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Assume without loss of generality that Pi > for all i, since the privacy constraint for the signal 
Xi vanishes if p,; = 0. The following theorem gives a convex sufficient condition in the form 
of Linear Matrix Inequalities (LMIs) guaranteeing that a choice of filter matrices Fi^Gi, Hi, Ki 



satisfies the constraints (16)-(17). 



Theorem 6. The constraints ([76])-p7|), for some 1 < i < n, are satisfied if there exists matrices 

Wi, Yi, Zi, Fi, Gi, Hi, ki such that Tr(Wi) < /i,, 

V, {Li-k,C,-Hi) {Li-k,Ci) -kiDi 



* 
* 



* 
* 






/ 



^0, 



Zi Zi 



Z,Ai 



Z,Ai 



ZiBi 



Yi {YiAi + GiCi + F,) {YiAi + G,Ci) (Y.B, + GiDi) 
* Zi Zi 



* 



Y 





/ 



^0, 



and 



Zi 


z^ 














* 


Y, 










GiCiSi 


* 


* 









KiCiSi 


* 


* 


* 


Zi 


z^ 





* 


* 


* 


* 


Yi 





* 


* 


* 


* 


* 


/ 



>- 0. 



If these conditions are satisfied, one can recover admissible filter matrices Fi,Gi, Hi, Ki by 
setting 

F, = Vr'F,Z7%-T, Gi = V-'G„ H, = H.Z-'U-'^ , = k, (18) 



where Ui, Vi are any two nonsingular matrices such that ViU^ 



T 



I - YZi 



-1 
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Proof: For simplicity of notation, let us remove the subscript i in the constraints ([T6|)-(|T7]), 
since we are considering the design of the filters individually. Also, define A = A/p^. The 



condition (16) is satisfied if and only if there exist matrices W,Pi such that [24| 





W 


c 


D 




Pi 


PiA 


PiB 




TviW) < p, 


* 


Pi 







* 


Pi 





>- 




* 


* 


/ 




* 


* 


/ 





(19) 



For the constraint (17), first note that we have equality of the transfer functions 



F 


GCS 


H 


KCS 














F 


GCS 





H 


KCS 



for any matrix Ai, in particular for Ai the zero matrix of the same dimensions as A. With this 
choice, denote 



















A = 




, B = 




,c = 


H 


, D = KCS. 




F 




CCS 









Then the constraint (17) can be rewritten ||C(s/ — A) + D\\oo < X, and is satisfied if and 



only if there exists a matrix P2, of the same dimensions as Pi, such that [24| 



P2 





P2A 


P2B 


* 


XI 


c 


D 


* 


* 







* 


* 


* 


/ 



>- 0. 



The sufficient condition of the theorem is obtained by adding the constraint 

P:=Pi = P2 



(20) 



(21) 



and using the change of variable suggested in [25 p. 902]. Namely, assume that there are matrices 



F, G, H, K, P, and W satisfying ( |19[ ), ( |20[ ), ( |2l| ). We partition the positive definite matrix P and 
its inverse as 





Y 


V 




X 


u 


p = 














Y 






X 
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Note that YX + VU^ = I. Define 





X 


I 




I 


Y 


Jl = 



























(22) 



Then we have PJi = J 2- Moreover 
X I 



JtPJi 



I Y 



, J^PAJi 



J^PB 



B 

YB + VGD 



CJi 



AX A 

YAX + VGCX + VFU^ YA + VGC 



{L-KC)X-HU^ L-KC 



Similarly, 



J^PAJi 




VFU^ 



J^PB 





VGCS 



GJi 



HU^ 



Let Z = X ^. Consider first the congruence transformations 



of the first LMI in ( 19) by diag(/, Ji, /) and then by diag(/, Z, /, /), 



• of the second LMI in (19) by diag(Ji, Ji, /), and then by diag(Z, /, Z, I, I), 
. and of the LMI (|20|) by diag( Ji, /, Ji, /), and then by diag(Z, I, I, Z, I, I). 
Then, the transformation F = VFU'^Z,G = VG,H = HU'^Z, between the filter matrix 
variables F, G, H and the new variables F, G, H leads to the LMIs of the theorem. Hence these 



LMIs are necessarily satisfied if the constraints (19), (20) are satisfied together with (21). 
Now suppose that the LMIs of the theorem are satisfied. Since Z ;^ 0, we can define X = Z^^. 
Z Z 



Moreover, since 



Z Y 



>- 0, we have Y y X ^ by taking the Schur complement, and so 



/ — XY is nonsingular. Hence we can find two n x n nonsingular matrices U, V such that 
UV^ = I — XY. Then define the nonsingular matrices Ji, J 2 as in (22), let P = J2Ji^, and 



define the matrices F,G,H,K as in (18). Since Ji is nonsingular, we can then reverse the 



congruence transformations to recover (19), (20), which shows that the constraints (16), (17) are 
satisfied. ■ 



Note that the problem ( 15 ) is also linear in fii,X. These variables can then be minimized subject 
to the LMI constraints of Theorem [6] in order to design a good filter trading off estimation error 
and ^^-sensitivity to minimize the overall MSB. However, including these variables directly in 
the optimization problem can lead to ill-conditioning in the inversion of the matrices f/^, Vi in 



(18), a phenomenon discussed together with a recommended fix in [25, p. 903]. 
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C. Unstable Systems 

If the dynamics (|9]) are not stable, the linear filter design approach presented in the previous 
paragraph is not valid. To handle this case, we can further restrict the class of filters. As before 
we minimize the estimation error variance together with the sensitivity measured by the "Hoo 



norm of the filter. Starting from the general linear filter dynamics (12), (13), we can consider 
designs where is an estimate of Xi, and set Hi = L^, Ki = 0, so that Zi = LiXi is an estimate 
of Zi = LiXi. The error dynamics Cj := Xi — Xi then satisfies 

ei,t+i = {A - GiCi)xi^t - FiXi^t + {Bi - GiD,j)wi^f 
Setting Fi = {Ai — GiCi) gives an error dynamics independent of Xi 

ei^t+i = {Ai - GiCi)ei^t + {Bi - GiDi)wi^t, (23) 

and leaves the matrix Gi as the only remaining design variable. Note however that the resulting 
class of filters contains the (one-step delayed) Kalman filter. To obtain a bounded error, there is 
an implicit constraint on Gi that Ai — GiGi should be stable. 

Now, following the discussion in the previous subsection, minimizing the MSE while enforcing 
differential privacy leads to the following optimization problem 



min /ij + K,{5, e)^A 

«=i 

s.t. V 1 < z < \\Li{zI - {Ai - GiG,)Y\B, - GiD,)\\ < fa 
pIWHzI - {A, - G,Gi))-^G,CM'L < A. 



(24) 

(25) 
(26) 



Again, one can efficiently check a sufficient condition, in the form of the LMIs of the following 



theorem, guaranteeing that the constraints (25), (26) are satisfied. Optimizing over the variables 



Xi,Hi,Gi can then be done using semidefinite programming. 



Theorem 7. The constraints {25)-{u6u, for some 1 < i < n, are satisfied if there exists matrices 



Yi,Xi, Gi such that 



Tr{Y,LjLi) < fii 



Yi I 
I Xi 



^0, 



Xi XiAi — GiGi XiBi — GiDi 



Xi 





I 



y 0, (27) 
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and 
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, one 


can 


recover 






/ 



>- 0. 



(28) 



Gi — X- ^Gi- 



Proof: As in Theorem (|6]), we simplify the notation below by omitting the subscript i. First, 



from the error dynamics (23), the constraint (25) is satisfied if and only if there exists a positive 



definite matrix P such that p4 | 

Tr(PL^L) < /i, {Ai - GiC,)P(A - G.C^f + (B, - GiD,){Bi - G,Dif -< P. 

Letting X = P^^, introducing the slack variable Y, the change of variable G = XG, and using 
the Schur complement shows that these conditions are equivalent to the existence of two positive 



definite matrices X,Y such that i\2Jn is satisfied. The LMI (ESI) derived from (26) is standard 



[24|, see also ( |20l ). As in Theorem [6[ we restrict the search in this LMI to the same matrix X 



as in (27), which results in a convex problem but introduces some conservatism. 



V. A Traffic Monitoring Example 

Consider a simplified description of a traffic monitoring system, inspired by real-world im- 
plementations and associated privacy concerns as discussed in Q, p6| for example. There are 
n participating vehicles traveling on a straight road segment. Vehicle i, for 1 < i < n, is 
represented by its state = [^i,t,^i,t]'^ , with and its position and velocity respectively. 
This state evolves as a second-order system with unknown random acceleration inputs 





1 Ts 




T!/2 













1 




Ts 






where Ts is the sampling period, Wi^t is a standard white Gaussian noise, and an > 0. Assume for 
simplicity that the noise signals Wj for different vehicles are independent. The traffic monitoring 
service collects GPS measurements from the vehicles [4], i.e., receives noisy readings of the 
positions at the sampling times 



yi,t 



1 



Xi.t + cr. 



i2 



1 
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with crj2 > 0. 

The purpose of the traffic monitoring service is to continuously provide an estimate of the 
traffic flow velocity on the road segment, which is approximated by releasing at each sampling 
period an estimate of the average velocity of the participating vehicles, i.e., of the quantity 



1 " 
n ^-^ 



(29) 



With a larger number of participating vehicles, the sample average ( [29] ) represents the traffic flow 
velocity more accurately. However, while individuals are generally interested in the aggregate 
information provided by such a system, e.g., to estimate their commute time, they do not 
wish their individual trajectories to be publicly revealed, since these might contain sensitive 
information about their driving behavior, frequently visited locations, etc. Privacy-preserving 
mechanisms for such location-based services are often based on ad-hoc temporal and spatial 
cloaking of the measurements [[4|, p7| . However, in the absence of a quantitative definition of 
privacy and a clear model of the adversary capabilities, it is common that proposed techniques are 
later argued to be deficient [ [28| , p9| . The temporal cloaking scheme proposed in Q for example 
aggregates the speed measurements of k users successively crossing a given line, but does not 
necessarily protect individual trajectories against adversaries exploiting temporal relationships 



between these aggregated measurements p8| . 

1 ) Numerical Example: We now discuss some differentially private estimators introduced in 



Section |W} in the context of this example. All individual systems are identical, hence we drop 

1 



the subscript i in the notation. Assume that the selection matrix is S 







, that p = 100 m. 



Tg = Is, an = (Jj2 = 1, and e = ln3, 5 = 0.05. A single Kalman filter denoted JC is designed to 
provide an estimate Xi of each state vector Xi, so that in absence of privacy constraint the final 
estimate would be 



k\j:^y^ 



i=l 



1 



n 



Finally, assume that we have n = 200 participants, and that their mean initial velocity is 45 
km/h. 

In this case, the input noise injection scheme without modification of the Kalman filter is 
essentially unusable since its steady-state Root-Mean-Square-Error (RMSE) is almost 26 km/h. 
However, modifying the Kalman filter to take the privacy preserving noise into account as 
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Fig. 4. Two differentially private average velocity estimates, with n = 200 users. The Kalman filters are initialized with the 
same incorrect initial mean velocity (75 km/h), in order to illustrate their convergence time. 



additional measurement noise leads to the best RMSE of all the schemes discussed here, of 
about 0.31 km/h. Using the Kalman filter /C with the output noise injection scheme leads to 
an RMSE of 2.41 km/h. Moreover in this case ||/C||oo = 0.57 is quite small, and trying to 
balance estimation with sensitivity using the LMI of Theorem |7] (by minimizing the MSB while 
constraining the 'Hoo norm rather than using the objective function ([24])) only allowed us to 
reduce this RMSE to 2.31 km/h. However, an issue that is not captured in these steady-state 
estimation error measures is that of convergence time of the filters. This is illustrated on Fig. |4} 
which shows a trajectory of the average velocity of the participants, together with the estimates 
produced by the input noise injection scheme with compensating Kalman filter and the output 
noise injection scheme following /C. Although the steady-state RMSE of the first scheme is 
much better, its convergence time of more than 1 min, due to the large privacy-preserving noise, 
is also much larger. This can make this scheme impractical, e.g., if the system is supposed to 
respond quickly to an abrupt change in average velocity. 



VL Filtering Event Streams 



This section considers an application scenario motivated by the work of [10|, [30|. Assume 
now that an input signal is integer valued, i.e., G Z for all t > 0. Such a signal can record 
the occurrences of events of interest over time, e.g., the number of transactions on a commercial 



website, or the number of people newly infected with a virus. As in [10|, [30|, two signals u 
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and u' are adjacent if and only if they differ by one at a single time, or equivalently 

M]{u,u') m\\u-u\\i = l. (30) 
The motivation for this adjacency relation is that a given individual contributes a single event 



to the stream, and we want to preserve event-level privacy [10|, that is, hide to some extent the 
presence or absence of an event at a particular time. This could for example prevent the inference 
of individual transactions from publicly available collaborative filtering outputs, as in [[3|. Even 
though individual events should be hidden, we are still interested in producing approximate 
filtered versions of the original signal, e.g., a privacy-preserving moving average of the input 



tracking the frequency of events. The papers [10|, pO| consider specifically the design of a 



private counter or accumulator, i.e., a system producing an output signal y with yt = yt~i + Ut, 
where u is binary valued. Note that this system is unstable. A number of other filters with slowly 



and monotonically decreasing impulse responses are considered in [ 12|, using a technique similar 



to [30 1 based on binary trees. Here we show certain approximations of a general linear stable 



filter Q that preserve event-level privacy. We first make the following remark. 

Lemma 3. Let Q be a single-input single-output linear system with impulse response g. Then for 



the adjacency relation {30) on integer-valued input signals, the ip sensitivity ofQ is ApQ = \\g\ 



In particular for p = 2, we have = \\G\\2, the norm ofQ. 

Proof: For two adjacent binary-valued signals m, u' , we have that m — m' is a positive or 
negative impulse signal 5, and hence 

\\gu - Qu'Wp = \\g{u - u)\\p = \\g6\\p = \\g * 6\\p = \\g\\p. 



We measure the utility of specific schemes throughout this section by the MSE between 



the published and desired outputs. Similarly to our discussion at the end of Section III there 
are two straightforward mechanisms that provide differential privacy. One can add white noise 
w directly on the input signal, with wt ~ Lap(l/e) for the Laplace mechanism and wt ~ 
J\f{0, k{S, e)) for the Gaussian mechanism. Or one can add noise at the output of the filter 
Q, with Wt ~ Lap(||(7||i/e) for the Laplace mechanism and wt ~ J\f{0,\\g\\2K{5,e)) for the 
Gaussian mechanism. For the Gaussian mechanism, one obtains in both cases an MSE equal 
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Fig. 5. Differentially private filter approximation set-up. 



to 11^112 e)^. For the Laplace mechanism, it is always better to add the noise at the input. 
Indeed, we obtain in this case an MSE of 2||(7||2/e^ instead of the greater 2||(7||^/e^ if the noise 
is added at the output. 

We now generalize these mechanisms to the approximation set-up shown on Fig. [5} The 
previous mechanisms are recovered when Qi or Q2 is the identity operator. To show that one can 
improve the utility of the mechanism with this set-up, consider the following choice of filters Qi 
and Q2- Let Qi be a stable, minimum phase filter (hence invertible). Let Q2 = QQi^ ■ We call this 
particular choice the zero forcing equalization (ZFE) mechanism. To guarantee (e, 5) -differential 
privacy, the noise w is chosen to be white Gaussian with a = k{5, e)\\Qi\\2. The MSE for the 
ZFE mechanism is 



e'JsF := lim ;^ ^ E[|| (^n), - (^n + ^^fM^llz 

T— s>oo I 

t=0 
^ 00 

lim -Y.E[\\{gg^'wUl] = ^{e,6ng4l\\gg, 



-1||2 
2- 



i=0 

Hence we are lead to consider the following problem 

min||c;,ii^liec;fii? = £ ig,(en\^-^ 

where the minimization is over the stable, minimum phase transfer functions ^1. 
Theorem 8. We have, for any stable, minimum phase system ^1, 

This lower bound on the mean-squared error of the ZFE mechanism is attained by letting 
\gi{e^'^)\^ = X\g{e^'^)\ for all u G [— vr, vr), where A is some arbitrary positive number. It can 
be approached arbitrarily closely by stable, rational, minimum phase transfer functions ^1. 



2 
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Proof: By the Cauchy-Schwarz inequality, we have 



\Q{en\d^ 



diij 



< 



/•TT 




/ — TT 


(e>) 



hence the bound. Moreover, equality is attained if and only if there exists A G M such that 



i.e., \Qxie 



To see that the bound can be approached using finite-dimensional filters, by Weierstrass theorem 
we can first approximate |^(e-''^)| arbitrarily closely by a rational positive function Q. We then 
set Q\ to be the minimum-phase spectral factor of Q. ■ 
The MSE obtained for the best ZFE mechanism in Theorem [8] cannot be worse than the MSE 
for the scheme adding noise at the input, and is generally strictly smaller, since by Jensen's 
inequality we have 



\Q(e 



2ti 



Ml 



In addition, the MSE of the ZFE mechanism is independent of the input signal u. However, 
a smaller error could be obtained with other schemes, in particular schemes that exploit some 
knowledge about the input signal. Note that once Qi is chosen, designing Q2 is a standard 



equalization problem [31 1. The name of the ZFE mechanism is motivated by the choice of trying 
to cancel the effect of Qi by using its inverse (zero forcing equalizer). Nonlinear components 
can be very useful as well. In particular if we add the hypothesis that the input signal is binary 



valued, as in 1 10|, [30|, we can modify the simple scheme adding noise at the input by including 
a detector H in front of the system Q, namely, for Ut = Ut + Wt, 



Hiut) 



1, ut> 1/2, 
0, Mi < 1/2. 

This exploits the knowledge that the input signal is binary valued, preserves differential privacy 
by Theorem [T| and sometimes significantly improves the MSE, depending on other characteristics 
of the signal. 



A. Exploiting Additional Public Knowledge 

To further illustrate the idea of exploiting potentially available additional knowledge about 
the input signal, consider using a minimum mean squared error (MMSE) estimator for Q2 rather 
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than employing GQ^^, since the latter can significantly amplify the noise at frequencies where 
Qi is small. Let us assume that Qi is already chosen, e.g., according to Theorem [8] (this choice 
is not optimal any more if Q2 is not GQi^). Moreover, assume that that it is publicly known that 
u is wide- sense stationary with mean and autocorrelation denoted 

E[ut] = fi, E[usUt] =: Ru[s - t]. 

From this data, the second order statistics of y and z on Fig. 1 are also known, in particular 

Rz = f * f* Ru + 0-^5, Ryz = g* f* Ru, 



where = k{5, e)^||^i||i, S is the impulse signal, / is the impulse response of Qi, and ft = f-t- 
We then design Q2 to minimize the MSE 

n\yt-yt\% 

For simplicity, consider the case where Q2 is restricted to be a finite-impulse response filter, i.e., 

N 

yt = {Q2z)t = ^ hkZt-k, 

k=0 

where N is the order of the filter. The vector h = [ho, ... ,hiy]'^ is the solution of the Yule-Walker 



equations [32| 



R,[0] R,[l] ... Rz[N] 
R,[l] RM ... R,[N-1] 



h 



_R.m ^.[0] 

According to Theorem [T| differential privacy is preserved since the filter Q2 only processes 
the already differentially private signal z. Even if the statistical assumptions turn out not to be 
satisfied by u, the privacy guarantee still holds and only performance is impacted. 

Example 3. Fig. |6] illustrates the differentially private output obtained by the MMSE mechanism 
approximating the filter Q = 1/(5(2) + 0.05), with s{z) the bilinear transformation 

The input signal is binary valued and the privacy parameters are set to e = ln3, 5 = 0.05. 
For this specific input, the empirical MSE of the ZEE is 5.8, compared to 4.6 for the MMSE 
mechanism. The simpler scheme with noise added at the input is essentially unusable, since its 
MSE is K,iS,e)^\\Q\\l ^ 30.1. Adding a detector reduces this MSE to about 17. 
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Fig. 6. Sample path for the MMSE mechanism. 



B. Related Work 



Some papers closely related to the event filtering problem considered in this section are 1 10 1- 
p2| , [33|. As previously mentioned, [10|, [33| consider an unstable filter, the accumulator. The 
techniques employed there are quite different, relying essentially on binary trees to keep track of 
intermediate calculations and reduce the amount of noise introduced by the privacy mechanism. 



Bolot et al. [ 12| extend this technique to the differentially private approximation of certain filters 
with monotonic, slowly decaying impulse response. In fact, this technique can be extended to 
general linear systems by using a state-space realization and keeping track of the system state 
at carefully chosen times in a binary tree. However, the usefulness of this approach seems to 
be limited for most practical stable filters, the resulting MSE being typically too large and the 
implementation of the scheme significantly more complex than for a simple recursive filter. 

Finally, as with the MMSE estimation mechanism, one can try to use additional information 
about the input signals to calibrate the amount of noise introduced by the privacy mechanism. 
For example, if there exists a sparse representation of the signal in some basis (such as a Fourier 
or a wavelet basis), then one can try to perturb the representation coefficients in this alternate 
basis. For example, p3| perturbs the largest coefficients of the Discrete Fourier Transform of the 
signal. A difficulty with such approaches is that they are typically not causal and not recursive, 
requiring an amount of processing that increases with time. 
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VII. Conclusion 

We have discussed mechanisms for preserving the differential privacy of individual users 
transmitting time-varying signals to a trusted central server releasing sanitized filtered outputs 



based on these inputs. Decentralized versions of the mechanism of Section III can in fact 
be implemented in the absence of trusted server by means of cryptographic techniques [33|. 
We believe that research on privacy issues is critical to encourage the development of future 
cyber-physical systems, which typically rely on the users data to improve their efficiency. 
Numerous directions of study are open for dynamical systems, including designing better filtering 
mechanisms, and understanding design trade-offs between privacy or security and performance 
in large-scale control systems. 
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